Bit Locker Administration and Monitoring

Microsoft Bitlocker Administration and Monitoring (MBAM)


Table of Contents

Microsoft Bitlocker Administration and Monitoring (MBAM) ................................................. 1

Exercise 1 Microsoft Bitlocker Administration and Monitoring Features ..................................................................... 2

Exercise 2 Provisioning Administration and Monitoring Policy ..................................................................................... 3

Exercise 3 Client Agent User Experience ....................................................................................................................... 5

Exercise 4 Compliance and Audit Reporting .................................................................................................................. 9

Exercise 5 Key Recovery and TPM Management ......................................................................................................... 11

Exercise 6 Managing Hardware Compatibility ............................................................................................................. 14


Page 1 of 15


Objectives After completing this lab, you will be better able to:

Review the installed elements of the MBAM solution

Use Group Policy to provision the MBAM reporting and recovery components as well as enterprise BitLocker enforcement

Review the MBAM client user experience

Use MBAM reporting features

Use the MBAM Key Recovery page to retrieve recovery key information

Scenario Microsoft BitLocker Administration and Monitoring™ (MBAM) provides a simplified administrative interface to BitLocker Drive Encryption™ (BDE). MBAM allows you to select BDE encryption policy options appropriate to your enterprise, monitor client compliance with those policies, generate reports on the encryption status of missing devices, and quickly provide BDE recovery keys to end users that have entered recovery mode. This hands-on lab will show you some of the management features available in MBAM. You will learn how to set enforcement and management policies, run compliance reports, and see how key recovery works using the Key Recovery Portal.

Estimated Time to Complete This Lab

60 Minutes

Computers used in this Lab NYC-DC1

NYC-SRV2

The password for the Administrator account on all computers in this lab is: Pa$$w0rd


Page 2 of 15

Exercise 1 Microsoft Bitlocker Administration and Monitoring Features

Scenario In this exercise, we will look at some of the installed features and requirements for the Microsoft BitLocker Administration and Monitoring (MBAM) solution.

Tasks Detailed Steps

Complete the following task on:

NYC-SVR2

1. Review the installed database features

a. Log on to NYC-SVR2 using the following credentials:

User Name: Administrator

Password: Pa$$w0rd

Domain : CONTOSO

b. Open SQL Server Management Studio.

c. On the Connect to SQL dialog, click Connect.

d. In the Object Explorer, expand NYC-SVR2 | Databases.

Note: The two database components configured when installing Microsoft BitLocker Administration and Monitoring (MBAM) are the Compliance Status Database and the Recovery and Hardware Database.

MBAM Compliance Status Database – The MBAM Compliance Status Database stores the current Bitlocker enforcement status for each MBAM client

MBAM Recovery and Hardware Database – The MBAM Recovery and Hardware stores the recovery key information and hardware profiles from each computer with the MBAM client agent installed.

The Microsoft BitLocker Administration and Monitoring (MBAM) database and reporting features require Microsoft SQL Server R2 or Microsoft SQL Server 2008 Database and Reporting Services on either the Standard, Developer, Enterprise or Datacenter editions.

e. In the Object Explorer, expand NYC-SVR2 | Security | Logins.

f. Under the Logins node, take note of the following access accounts:

NYC-SVR2\MBAM Compliance Auditing DB Access

NYC-SVR2\MBAM Recovery and Hardware DB Access

Note: MBAM installs two user groups with access to the Compliance Status and Recovery and Hardware databases.

g. Close SQL Server Management Studio.


Page 3 of 15

Exercise 2 Provisioning Administration and Monitoring Policy

Scenario Microsoft BitLocker Administration and Monitoring (MBAM) provides a Group Policy template that helps you configure the enterprise BitLocker enforcement settings as well as the typical enterprise BitLocker enforcement policies.

In this exercise we will configure the key recovery and status reporting endpoints, as well as configure a BitLocker enforcement policy for a department organizational unit.



NYC-SVR2

1. Configure the backend and status reporting policies

a. Perform the following on NYC-SVR2.

b. Open Group Policy Management Console.

c. Expand Forrest: CONTOSO.COM | Domains | CONTOSO.COM.

d. Right-click CONTOSO.COM and click Create a GPO in this domain, and Link it here….

e. In the New GPO dialog, enter a name of MBAM Configuration and click OK.

f. In the console tree, right-click MBAM Configuration and click Edit.

g. In the Group Policy Management Editor, expand Computer Configuration | Policies | Administrative Templates | Windows Components and click MDOP MBAM (BitLocker Management).

Note: The MDOP MBAM (Bitlocker Management) node represents a superset of the existing BitLocker Drive Encryption polices available in the Windows Server 2008 and Windows Server 2008 R2 schema, as well as the MBAM recovery and reporting policies. It is suggested that when implementing MBAM, administrators exclusively use the MDOP MBAM (BitLocker Management) node for all BitLocker policy.

h. In the console tree, expand MDOP MBAM (BitLocker Management) and click Client Management.

i. In the details pane, double-click Configure MBAM services.

j. In the Configure MBAM services window, click to select the Enabled radio button and configure the following options:

Note: Note that you can copy and edit the example URL text from the Help textbox to the right of the Options pane.

MBAM Recovery and Hardware service endpoint: http://nyc-svr2.contoso.com:2450/MBAMRecoveryandHardwareService/CoreService.svc

MBAM Status reporting service endpoint: http://nyc-svr2.contoso.com:2450/MBAMComplianceStatusService/StatusReportingService.svc

k. Click Next Setting.

l. On the Allow hardware compatibility checking page, click to select the Enabled radio button.

Note: When this policy is enabled, the MBAM client agent will validate the computer’s model with the hardware compatibility list to ensure that the model is capable of Bitlocker Drive Encryption. We will look at this in more depth in Exercise 5.

m. Click Next Setting twice.


Page 4 of 15


n. On the Configure user exemption policy, click to select the Enabled radio button and configure the following options:

Select the method of contacting users with instructions: Provide an email address

Enter the appropriate e-mail address: [email protected]

o. Click OK.

p. Close Group Policy Management Editor.


NYC-SVR2

2. Configure BitLocker enforcement for Marketing Department

a. In the Group Policy Management Console, right-click the Marketing OU and click Create a GPO in this domain, and Link it here….

b. In the New GPO dialog, enter a name of Marketing Bitlocker Enforcement and click OK.

c. In the console tree, expand the Marketing OU, right-click Marketing Bitlocker Enforcement and click Edit.

d. In the Group Policy Management Editor, expand Computer Configuration | Policies | Administrative Templates | Windows Components | MDOP MBAM (BitLocker Management).

e. In the console tree, click Operating System Drive.

f. In the details pane, double-click Operating system drive encryption settings.

g. Click to select the Enabled radio button and configure the following values:

Select protector for operating system drive: TPM and PIN

Allow enhanced PINs for startup: Disabled (default)

Configure minimum PIN length for startup: 8

h. Click OK.

i. In the console tree, click Removable Drive.

j. In the details pane, double-click Control use of BitLocker on removable drives.

k. Click to select the Enabled radio button.

l. Click Next Setting.

m. On the Deny write access to removable drives not protected by BitLocker page, click to select the Enabled radio button.

n. Click OK.

o. Close Group Policy Management Editor.


Page 5 of 15

Exercise 3 Client Agent User Experience

Scenario The Microsoft BitLocker Administration and Monitoring (MBAM) client agent can be installed at deployment or advertised using either MDT 2010, System Center Configuration Manager 2007, Group Policy, or any third party software distribution tool you prefer. The client agent has a service component that will automatically start and report according to policies set in Group Policy. Additionally, the MBAM client has a user friendly interface that will prompt for BitLocker enforcement according to corporate policy.

In this exercise we will preview the MBAM client experience.



NYC-SVR2

1. Client Agent User Experience

a. The following steps are informational only, due to the fact the virtual machines do not support Bitlocker encryption. Click-through steps will continue in the next exercise.

b. When a client logs on to a domain joined machine with the MBAM client agent installed and the appropriate policies to enforce BitLocker encryption, the user will see the following wizard if their machine is not secured with BitLocker:

c. If the TPM needs to be cleared and ownership taken, the wizard will note that a shutdown will be required before the encryption process can begin.


Page 6 of 15


d. After the user clicks Start, the wizard will perform a System Check to look for any issues that will conflict with the encryption process.

e. When the TPM needs to be cleared and ownership taken, the wizard will prompt for a full shutdown and manual restart of the computer. After TPM ownership has been taken and the reboot performed, the wizard will continue with the encryption process.


Page 7 of 15


f. If there are no issues or TPM configuration needed, the wizard will continue directly to the Create a new PIN page (if the policy is configured to require a PIN), where the user will be prompted to create a PIN according to the length specifications set in Group Policy:

g. If the PIN entered meets the policy requirements, the wizard will begin the encryption of the policy specified drive:


Page 8 of 15


h. The dialog can be closed while encryption takes place and users will be able to work normally during the encryption process, otherwise the wizard will display a success status at the end of the encryption process:


Page 9 of 15

Exercise 4 Compliance and Audit Reporting

Scenario Microsoft BitLocker Administration and Monitoring (MBAM) allows IT administrators to track the status of BitLocker on corporate desktops and laptops, as well as generate compliance reports for security administration. The reporting can be done on a computer level, useful particularly in the case of lost or stolen computers, or at the organizational level, in order to check corporate wide compliance.

The MBAM Compliance and Audit Reports page allows access for a wide range of users. You can configure access to reports for users based on their roles in the organization. Think about what kind of information you want to make available to IT administrators, non IT managers (for example, Finance or HR professionals) and owners of individual systems.

In this exercise we will view a variety of reports and filter data available through the MBAM Compliance and Audit Reports page.



NYC-SVR2

1. View the Enterprise Compliance Report


b. Launch the MBAM Administration website shortcut from the desktop.

Note: The default home page will open to the BitLocker Administration & Monitoring page.

c. In the navigation pane, click Reports.

d. In the details pane of the Reports page, click Enterprise Compliance Report.

Note: The Enterprise Compliance Report displays in a moment, showing the encryption compliance status of the entire enterprise.

e. Expand the Compliance Status drop-down and click to deselect the Compliant check box.

Note: The Compliance Status filtering can be used to quickly review which computers in the enterprise are in a non-compliant state.

f. Click View Report.

Note: The Report now shows all computers that are currently not in compliance with corporate Bitlocker policy.


NYC-SVR2

2. Open Report Manager and view the Computer Compliance Report

a. On the Compliance and Audit Reports page, click Computer Compliance Report.

b. In the device user or computer name field, type ACon and click View Report.

Note: The user Aaron Con has a variety of managed computers that he has logged on to, in various states of compliance with corporate encryption policy. In additional to the Computer Type and Operating system information, you can view the Manufacturer and Model of the computers Aaron has used, as well as information on the last time the client communicated with the reporting service.

c. Scroll down and click the + next to CLIENT7 and review the computer status details.

Note: The policies for both OS and non-OS drives can be viewed, as well as the protector and encryption state and compliance status for each available drive.

d. In the device user or computer name field, clear the field and type CLIENT14 and click View Report.

e. Scroll the report to view the additional details.


Page 10 of 15


Note: The same data is available in the computer name based reporting, along with information on the Device Users for that particular computer.


Page 11 of 15

Exercise 5 Key Recovery and TPM Management

Scenario A primary feature of the Microsoft BitLocker Administration and Monitoring solution is the key recovery website. This website is designed to help Tier 1 and Tier 2 help desks/IT Professionals support enterprise BitLocker key recovery. One primary support scenario would be the ability to distribute recovery passwords to employees who have lost their PIN and have valid domain credentials and a valid Recovery Key ID.

In this exercise, we will look at the scenario of a lost PIN leading to a drive lock-out and prompt for a recovery password for the drive.



NYC-SVR2

1. Review AD key recovery method

Note: When a user has lost their PIN, they will enter recovery mode and be prompted by BitLocker to enter a recovery password in order to regain access to the encrypted drive.

Note: Without MBAM, typically a user will have to consult with the help desk who will in turn need to escalate to someone with access to the key recovery data stored in Active Directory (a feature that must be enabled in Group Policy).


b. Click Start | Administrative Tools | Active Directory Users and Computers.

c. In the console tree, click the Accounting OU.

d. In the details pane, right-click CLIENT12 and click Properties.

e. Click the Bitlocker Recovery tab.

Note: Traditionally security or IT administrators would need access to Active Directory to recover Bitlocker key recovery information.


Page 12 of 15


f. Click Cancel and close Active Directory Users and Computers.


NYC-SVR2

2. Modify the MBAM Recovery page user groups

a. On the Start menu, search for Local Users and Groups.

Note: Roles and permissions to the MBAM Key Recovery page are configured using local groups on the web server.

b. In the console tree, click Groups.

c. In the details pane, double-click MBAM Advanced Helpdesk Users.

Note: This permission tier of the recovery website requires the Help Desk Administrator to retrieve recovery information without needing a User ID. This group is used to allow tier 2 support staff direct access to encrypted resources outside of typical user support scenarios.

d. Click Add.

e. Type Contoso\ITAdmin and click Check Names.

f. Click OK twice.

g. In the details pane, double-click MBAM Helpdesk Users.

Note: This permission tier of the recovery website requires Help Desk personnel to have a User ID and Key ID in order to retrieve recovery information. This group is used to authorize tier1 support who work directly with desktop users in recovery scenarios.

h. Right-click MBAM Helpdesk Users and click Add to Group.

i. Click Add.

j. Type Contoso\ITHelpDesk and click Check Names.

k. Click OK twice.

l. Close Local Users and Groups.

m. Click Start and right click Computer.

n. Select Properties and then click Remote Settings.

o. Click Select Users and then click Add.

p. Type Contoso\ITAdmin; Contoso\ITHelpDesk, Check Names and then click OK three times.


NYC-SVR2

3. Using the Drive Recovery page in the IT Help Desk role

a. Click Start | Log off.

b. Right click NYC-SRV2 on the left hand Remote Desktops pane and log on as Contoso\ITHelpDesk with a password of Pa$$w0rd.

Note: In this context we will be logging on in the Help Desk role. The help desk personnel will require both a User ID and a Key ID from the desktop user in order to retrieve recovery information.

c. Launch the MBAM Administration website shortcut from the desktop.


d. In the navigation pane, click Drive Recovery.

Note: The BitLocker Drive Recovery page allows support staff to access key recovery information without the need to escalate to senior IT Administrators or exposing Active Directory to a broader set of users.

e. Enter the following information on the Unlock a Bitlocker Encrypted Drive page and click Submit:

User Domain: CONTOSO.COM

User ID: ACon

Key ID: 553c491c


Page 13 of 15


Reason for Drive Unlock: Lost PIN

f. Click Submit.

Note: The Drive Recovery Key will display below.

g. Close Internet Explorer.


NYC-SVR2

4. Using the Drive Recovery page in the IT Administrator role


b. Log on as Contoso\ITAdmin with a password of Pa$$w0rd.

Note: Here we are logged in as an IT administrator seeking recovery information outside of the context of user recovery. IT administrators only require a Key ID in order to retrieve recovery information.



d. In the navigation pane, click Drive Recovery.

e. Enter the following information on the Unlock a Bitlocker Encrypted Drive page:

Key ID: 553c491c

Reason for Drive Unlock: Operating System Boot Order changed

f. Click Submit.

g. Click Save.

h. At the Internet Explorer prompt, click the drop down and select Save As and save the text file to the desktop.

Note: This will create a recovery key text file that the help desk can send to the user via their email client so it can be read on their phone or another computer.

i. Close the download prompt.

j. Click Save Package.

k. At the Internet Explorer prompt, click Save As and save the key package file to the desktop.

Note: The Key Package can be used in conjunction with the BitLocker Repair Tool to recover data from a damaged volume. Administrators can use the repair-bde command with the –KeyPackage option.

l. Close the download prompt.


NYC-SVR2

5. Using the Manage TPM page

a. Click Manage TPM.

Note: The Manage TPM form allows administrators to retrieve the TPM Owner Password File when a TPM has locked users out and no longer accepts user PIN’s.

b. Enter the following information on the Manage TPM page:

Computer Domain: Contoso

Computer Name: CLIENT10

Reason for requesting TPM Owner Password File: Reset PIN lockout

c. Click Submit.

Note: The TPM Owner Password File will appear. Administrators can use this to reset a PIN lockout or perform TPM management tasks.

d. Click Save File.

e. In the dialog, save the CLIENT10.TPM file to the Desktop.

f. Click Done.

g. Close the download prompt.


Page 14 of 15

Exercise 6 Managing Hardware Compatibility

Scenario The Hardware Compatibility management feature of Microsoft BitLocker Administration and Monitoring enables members of the MBAM Hardware Users role to define the types of hardware (e.g. manufacture, model, or TPM chip) that are compatible with BitLocker technology and can be successfully encrypted using MBAM. The administrator can also use Hardware Compatibility to exempt computer models from BitLocker protection if the model is not BitLocker compatible or is not supported by the organization.

When enabling the group policy to allow the MBAM agent to perform hardware compatibility checking, the MBAM agent will collect the computer hardware information and save all unique models in the MBAM service. When a new model is collected from a computer, its Hardware Capability status will be set to Unknown. The MBAM administrator can then use the MBAM Hardware Compatibility web page to specify hardware models as capable or incapable to support BitLocker operation.

When the capability status of a computer is set to Unknown or Unsupported, the MBAM agent will exempt the model from BitLocker protection and make its encryption status Hardware exempted. The MBAM agent will only enforce BitLocker protection policy if the hardware capability status is Capable or the group policy is disabled for hardware compatibility checking.



NYC-SVR2

1. View the Hardware Compliance page


b. Right click NYC-SRV2 in the Remote Desktop pane and select Connect.


d. In the navigation pane, click Hardware.

e. On the Hardware Compatibility page, review the models and their corresponding support status.

Note: The Hardware Compatibility page displays all MBAM client reported models as well as hardware added manually by administrators.

The MBAM agent will automatically recheck the hardware compatibility of a computer on a regular basis. The MBAM administrator must also manage the hardware compatibility list from the MBAM web service to ensure that newly discovered hardware models flagged as Unknown are set to Compatible or Incompatible.

By default, Incompatible hardware will be rechecked for capability every 7 days, while Unknown and Compatible hardware compatibility will be checked every 24 hours.

f. Click to select the checkbox next to the TOSHIBA Satellite A205.

g. Click Change to Compatible.

h. In the dialog, click OK to set the compatibility status.

Note: Compatibility status for new computers is by default set to Unknown. MBAM administrators can review new hardware specifications and then set the supportability status through Hardware Compatibility page.

i. Click Add.

Note: Hardware entries can also be manually added and Bitlocker capability set.

j. Click Cancel.

k. Close Internet Explorer.


Page 15 of 15


Note: Thank you for taking the time to learn about Microsoft BitLocker Administration and Monitoring. More information on Microsoft BitLocker Administration and Monitoring (MBAM) can be found online:

Microsoft BitLocker Administration and Monitoring (MBAM) on Microsoft:

http://www.microsoft.com/windows/enterprise/products/mdop/mbam.aspx

Windows Client TechCenter > Home > Microsoft Desktop Optimization Pack:

http://technet.microsoft.com/en-us/windows/bb899442.aspx

The Official MDOP Blog:

http://blogs.technet.com/b/mdop

Documents

Bit Locker Administration and Monitoring